diff --git a/src/authz/loader.rs b/src/authz/loader.rs
index 4ea965a..025aa17 100644
--- a/src/authz/loader.rs
+++ b/src/authz/loader.rs
@@ -156,7 +156,7 @@ fn dfs_cycle_check(
 fn build_permission_roles(roles: &HashMap<String, RoleDef>) -> HashMap<String, Vec<String>> {
     let mut map: HashMap<String, Vec<String>> = HashMap::new();
 
-    for (role_name, _) in roles {
+    for role_name in roles.keys() {
         let perms = collect_role_permissions(role_name, roles, &mut HashSet::new());
         for perm in perms {
             map.entry(perm).or_default().push(role_name.clone());
diff --git a/src/authz/policy.rs b/src/authz/policy.rs
index 4b9ba7c..78fdec6 100644
--- a/src/authz/policy.rs
+++ b/src/authz/policy.rs
@@ -203,7 +203,7 @@ fn dash_list(node: &kdl::KdlNode) -> Vec<String> {
         .nodes()
         .iter()
         .filter(|n| n.name().value() == "-")
-        .filter_map(|n| first_string_arg(n))
+        .filter_map(first_string_arg)
         .collect()
 }
 
diff --git a/src/web.rs b/src/web.rs
index 612b433..fdc46a9 100644
--- a/src/web.rs
+++ b/src/web.rs
@@ -535,7 +535,7 @@ async fn authorize(
         let requires_2fa = user.requires_2fa == 1  // Admin-enforced 2FA
             || is_high_value_scope(&q.scope)        // Context-based: high-value scope
             || q.max_age.as_ref().and_then(|ma| ma.parse::<i64>().ok())
-                .map_or(false, |ma| ma < 300); // Context-based: max_age < 5 minutes
+                .is_some_and(|ma| ma < 300); // Context-based: max_age < 5 minutes
 
         // If 2FA required but not verified, redirect to 2FA page
         if requires_2fa && sess.mfa_verified == 0 {
@@ -874,8 +874,8 @@ async fn consent_page(
                     urlencoded(&q.scope),
                     urlencoded(&q.redirect_uri),
                     urlencoded(&q.response_type),
-                    urlencoded(&q.code_challenge.as_ref().unwrap_or(&String::new())),
-                    urlencoded(&q.code_challenge_method.as_ref().unwrap_or(&String::new())),
+                    urlencoded(q.code_challenge.as_ref().unwrap_or(&String::new())),
+                    urlencoded(q.code_challenge_method.as_ref().unwrap_or(&String::new())),
                     q.state.as_ref().map(|s| format!("&state={}", urlencoded(s))).unwrap_or_default()
                 );
                 return Redirect::temporary(&format!(
@@ -893,8 +893,8 @@ async fn consent_page(
                 urlencoded(&q.scope),
                 urlencoded(&q.redirect_uri),
                 urlencoded(&q.response_type),
-                urlencoded(&q.code_challenge.as_ref().unwrap_or(&String::new())),
-                urlencoded(&q.code_challenge_method.as_ref().unwrap_or(&String::new())),
+                urlencoded(q.code_challenge.as_ref().unwrap_or(&String::new())),
+                urlencoded(q.code_challenge_method.as_ref().unwrap_or(&String::new())),
                 q.state.as_ref().map(|s| format!("&state={}", urlencoded(s))).unwrap_or_default()
             );
             return Redirect::temporary(&format!("/login?return_to={}", urlencoded(&return_to)))